Hi all,
I inherited a PA / PAW server that was installed with SSO before I arrived. It's a Windows Server 2016 machine with IIS 10 and PA 57 installed.
For reasons I won't go into, the server was setup using my colleague's AD account, rather than a dedicated service account. The account ended up being used for everything -- the Windows services, API Authentication and database connection, and who knows what else.
When my colleague resigned, his AD account was disabled, and of course all hell broke loose.
I re-enabled the account temporarily and did my best to unravel the maze of dependencies as best I could. However, when it came to disabling the AD account again, I found it caused SSO to stop working.
Users can still log in by typing their AD username and password and everything works as expected, but it would be ideal to re-establish SSO.
I can't for the life of me understand how the SSO could be dependent on an AD account, but I have reenabled the account and the SSO magically starts working again. It is definitely the cause.
Does anyone have any suggestions what could be happening?
HELP! SSO broken by disabling AD user account?
- Harvey
- Community Contributor
- Posts: 236
- Joined: Mon Aug 04, 2008 4:43 am
- OLAP Product: PA, TM1, CX, Palo
- Version: TM1 8.3 onwards
- Excel Version: 2003 onwards
- Contact:
HELP! SSO broken by disabling AD user account?
Take your TM1 experience to the next level - TM1Innovators.net
- Ajay
- Regular Participant
- Posts: 183
- Joined: Wed May 14, 2008 8:27 am
- OLAP Product: TM1
- Version: 10.2.0, PA 2.0.9
- Excel Version: 2016
- Location: London
Re: HELP! SSO broken by disabling AD user account?
Harvey
I am assuming you have a local install.
Have you checked what account is being used in the "ApplicationPoolIdentity" within the ICAPool of IIS ?
Once you've changed the account STOP and then START the ICAPool
Does this work ?
Ajay
I am assuming you have a local install.
Have you checked what account is being used in the "ApplicationPoolIdentity" within the ICAPool of IIS ?
Once you've changed the account STOP and then START the ICAPool
Does this work ?
Ajay
-
- Regular Participant
- Posts: 197
- Joined: Wed May 06, 2020 2:58 pm
- OLAP Product: Planning Analytics
- Version: 2.0.9
- Excel Version: 2016
Re: HELP! SSO broken by disabling AD user account?
Ajays response would be my first bet. But some other questions if that doesn't work... What method of single sign on is setup, kerberos or identity mapping. If you have a single sign on option set to identity mapping within advanced properties of the ca config, the it's identity mapping, otherwise its kerberos. If its kerberos is kerberos account set up may not have privileges to pass the token.
Have you had to change the binding account for the active directory/authentication within cognos configuration?
Have you had to change the binding account for the active directory/authentication within cognos configuration?
- Harvey
- Community Contributor
- Posts: 236
- Joined: Mon Aug 04, 2008 4:43 am
- OLAP Product: PA, TM1, CX, Palo
- Version: TM1 8.3 onwards
- Excel Version: 2003 onwards
- Contact:
Re: HELP! SSO broken by disabling AD user account?
The Applcation Pool was ok, but burnstripe's suggestion about the CA Binding Identity did the trick. Thanks so much to you both!
Take your TM1 experience to the next level - TM1Innovators.net